1. KDC to ipa-otd: this can be changed in
/var/kerberos/krb5kdc/kdc.conf. I think the timeout should be larger
then the (largest) second timeout - and I think retries=0 is best.
This is for communication between KDC and ipa-otd.
2. There is a timeout in each RADIUS server config in IPA for the
communication from ipa-otp to external RADIUS servers:
`----
Again I think that for OTPs we are probably best with retries=0.
On older clients it might be helpful to add "udp_preference_limit = 0"
to /etc/krb5.conf - at least on my Debian/Ubuntu machines.

Ok. It would probably make sense to file a ticket to FreeIPA tracker to
get these changes in FreeIPA 4.5.

I've learned about the following timeouts for RADIUS authentication,
every single one can hit you when RADIUS takes a long time (which it souldn't):
* sssd has a default kerberos timeout of six seconds.
Can be changed in /etc/sssd/sssd.conf: krb5_auth_timeout,
which also seems to work for auth_provider = ipa, but is not
documented in sssd-ipa(5).

sssd-ipa(5) says:
--------
The IPA provider accepts the same options used by the
sssd-ldap(5) identity provider and the sssd-krb5(5)
authentication provider with some exceptions described
below.
--------
I'm not sure how much we could improve here.

* There is a timeout for krb5kdc talking to ipa-otpd.
Can be change in /var/kerberos/krb5kdc/kdc.conf with:
[otp]
DEFAULT = {
timeout = 15
retries = 0
strip_realm = false
}
* In IPA there is also a radius-timeout which can be changed in the webui
or with "ipa radiusproxy-mod <radius> --timeout=INT"
I found it quite challenging to wrap my head around the hole process
from PAM/SSS/KRB5/IPA-OTPD to FreeRADIUS/privacyidea, but now I'm quite
happy with what I've learned.